China: Guidelines on data classification and important data identification adopted – highlights and implications, Alex Roberts, Tiantian Ke

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

On 15 March, the National Cybersecurity Standardisation Technical Committee of China (or TC260, China’s leading committee on technical standard formulation) released a national standard entitled Data Security Technology — Rules for Data Classification and Grading (Classification Standard), which will take effect from 1 October 2024.

Critically, the Classification Standard incorporates the important data identification rules that were previously set out in a standalone form (see our analysis on their consultation draft from 14 September 2022 and the version leaked in March last year).

Overall, the Classification Standard classifies data into three categories – core data, important data and general data – and outlines data classification and grading principles and processes. These guidelines will serve as helpful reference for organisations to fulfill their accountability obligations of data classification and grading under China’s Personal Information Protection Law.

Why must organisations identify “important data”?

China has recently developed and revised various laws to enhance the national security and data security regimes applicable within its territory. On the one hand, these laws principally seek to maintain China’s national security and interests but, in doing so, would potentially change the risk profile for multinationals operating in the world’s second largest economy. On the other hand, the Chinese State Council’s action plan earlier this year asserted that government authorities must scientifically define the scope of important data to steadily promote the opening up of the country’s sectors and attract and utilise foreign investment.

Against this backdrop, enterprises in China need to assess whether the data they handle amounts to important data since this will trigger more stringent operational compliance requirements under the PRC Data Security Law, the Personal Information Protection Law, the Cybersecurity Law and the Anti-Espionage Law – including prohibitions or restrictions on exporting certain information from the PRC. For that reason, the Classification Standard serves as a pivotal reference for multinationals in navigating the legal and regulatory uncertainty currently attached to their day-to-day cross-border data transfers.

What does the Classification Standard say?

The Classification Standard defines “important data” as data in specific sectors, groups and areas, which, once leaked, tampered with, or damaged, may directly endanger national security, economic operations, social stability, public health, and safety. Data that will only affect individual organisations or persons is generally carved out from “important data”.

On the basis of this general scope, Annex G to the Classification Standard further provides a list of factors and examples to be considered when identifying “important data”.

What to note in Annex G?

Similar to the version of the important data identification rules leaked in March last year:

Annex G proposes a total 17 categories of factors to be considered when identifying important data. Under each category, examples are provided to facilitate enterprises’ scoping of the data that would potentially be captured.
In particular, Annex G covers some categories that multinationals may be exposed to during their business operations and thus should be cautious about. These categories include (i) data that reflects the overall or key areas of economic operation and financial activities and relates to industrial competitiveness, such as unpublished statistics data or trade secrets of key businesses; (ii) data that relates to China’s scientific and technological strength, affects China’s international competitiveness, or relates to China’s export-controlled items, such as source code or important parameters of these items.

In contrast to the leaked version of those rules, however, Annex G notably makes the below revisions:

Annex G removes, among other items, (i) data that may directly affect the state sovereignty, political security, political system and ideological safety, (ii) the undisclosed governmental affairs data, intelligence data, and law enforcement and judicial data, and (iii) the undisclosed special highways and airports data.
The intention of this move is not clear yet. In consideration of the heightened scrutiny and enhanced regulatory curbs with respect to national security and data security, our initial guess is that the above categories may have been scaled up as “core data” or other sensitive types of data such as state secrets, and thus subject to further stringent scrutiny under rules yet to be published for all sectors.
Annex G includes in the scope of important data, data that may affect the security of AI. This move ensues China’s first generative AI regulation that became effective in August last year. Though pledging to promote AI technology, China is consciously taking a balanced approach by putting AI supervision on its agenda in the face of growing security, data and privacy concerns. Enterprises in the AI industry or that have deployed AI technologies must monitor the flux in the rules governing these emerging technologies.

Data classification on the horizon

Along with the Classification Standard, the market has witnessed various region- and industry-specific initiatives, such as the data classification and grading specification for Tianjin Free Trade Zone, the trial measures for Lingang Special Area, and the data classification and grading rules and guidance for the healthcare, industrial, securities and futures, and natural resources sectors.

Yesterday (9 May), the Tianjin FTZ issued its data export management negative list – among others, it outlines 13 sector specific data categories the export of which will trigger a data export security assessment.

The issuance of the Classification Standard may set a precedent and accelerate the process of formulation of data classification and grading guidelines tailored to other areas and sectors, particularly industry-specific important data catalogues. Hopefully multinationals will soon receive more clarity on the types of data that they may (or may not!) export going forward.

Recommended actions

Companies should stay ahead of the curve and take action to:

map their data assets;
formulate internal data classification and grading policies and catalogues;
identify (on a dynamic basis) the possibility of possessing or processing any important data by referencing existing regional and industrial rules and guidelines; and
implement safeguards to protect data based on the classification and grading allocated to them.

If you need help on any or all of these steps, please reach out to our tech and data specialists!